pix

Hello,
I have question:
Is possible configure on PIX 506E PAT and NAT together ?
My problem
I have connection from my local network to internet by PIX 506E (PAT dynamic on external interface)
I need add connection from internet to dedicated computer in my local network thru PIX.
I configured translation 1-1 outside ip 209.xx.xx.xx to inside 192.168.xx.xx and I forwarded port
But, doesn't work.
I can't use telnet to this computer and port.
Maybe I have to add global NAT for this outside IP.
thx
henry

If you only get 1 public IP address then you cannot do both a 1-1 nat and PAT for other outbound traffic.
You can simply use static port-forwarding, with corresponding acl.
For example - you have a web server and an email server:

I have 5 public IP adresses.
I need only add rule with nat from one external IP to one internal IP and I need don't change exists PAT configuartion
I'm new in firewall, so maybe is very easy but I can't do that.
thx
henry

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

What is another way to establish this connection ?
Upgrade this firewal or I don't know (add one more interface for this firewall if possible) ?
Configure VPN ?
Is possible configure VPN on this firewall ?

In my company I have also ISA 2004 firewall, but now is not connected.
In the future I'll connect these two firewalls (PIX and ISA) together in back-to-back configuration.
How you think ? It is good idea connect these firewalls together or better is connect only ISA 2004 firewall as edge firewall ?
henry

>What is another way to establish this connection
You have not exactly spelled out what this connection is supposed to do/be.

You said that you have more than 1 IP address to use. Then you can do just as I demonstrated above using 1 IP for the interface/global and another one for the 1-1 NAT.
You just have to adjust the acl. If you must permit all ip to this one host, through nat, then adjust the acl like this (although I still wouldn't recommend it):
access-list ouside_in permit ip any host 209.x.x.y
access-group otuside_in in interface outside

Else, yes, you can create a client VPN scenario to this PIX, VPN in from the client, then have full wonderful -secure- access to the internal server.

I would, however, suggest upgrading 6.1(4) to the latest 6.3(5) before doing that.
As far as utilizing both the PIX and the ISA, I would never use any system running MS Windows that has to be patched often and unfailingly, without time to test out the patches, and rebooted often as my edge firewall. The PIX is absolutely the better Edge firewall. Use the ISA as a one-legged cache-only proxy to control user outbound access, provide reports, and enhance user experience.
I see no viable reason to connect these two firewalls back-back

http://www.cisco.com/cgi-bin/tablebuild.pl/pix
You'll have to have CCO account login to get the upgrade
The upgrade is safe and painless and "fixes" a lot of things. If you also get the PDM3.04 that goes with it, it wraps a nice Java based GUI around it with VPN wizards that make it a snap to configure VPN's.

Hello again,
I have one more question about ISA 2004 server.
I have Isa installed on win2003 server.
If I want configure ISA as proxy server and machine to control internet access (for inside network, control users (for example) access to internet only in "lunch time" what I need ? Custom scenerio ?
When I check templates on ISA i have option to choose:
1. Edge Firewall
2. 3-Leg Perimeter
3.Front Friewall
4.Back Firewall
5. Single Network Adapter
If I choose option "5" I'll can configure proxy server but probably I won't can install "firewall clients"
How can I manage internet access on loclal computers from ISA ?
henry

You set the ISA with Single Adapter - in cache only mode.
Set the PIX to only allow the ISA's IP address out to www
Set the client's IE to use a proxy setting. This can be set in Domain policies, or through DHCP.
No firewall client needed.
ISA can control who gets out and when.

0

Featured Post

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Both in life and business – not all partnerships are created equal.
As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…